b'                      National Archives and Records Administration\n                                                                                            8601 Adelphi Road\n                                                                           College Park, Maryland 20740-6001\n\n\nDate       September 20, 2007\nReply to\nAttn of    Office ofInspector General (OIG)\n\nSubject    Management Letter #07-12, Contingency Planning for Information Technology Systems\n\nTo         Allen Weinstein, Archivist (N)\n\n       The purpose ofthis memorandum is to formally bring to your attention conditions that could impact\n       NARA\'s ability to recover information technology (IT) systems that are essential to the agency\'s\n       mission in the event of a disaster or emergency situation.\n\n       Public Law 107-347, "The Federal Information Security Management Act (FISMA)," requires all\n       Federal agencies to develop, document, and implement an information security program that\n       includes plans and procedures to ensure continuity of operations for information systems that\n       support the operations and assets of the agency.\n\n       Previous OIG Report No. 06-09, "Review ofNARA\'s Information Security Program," July 31,\n       2006, identified IT contingency planning and disaster recovery as inadequate to support NARA\'s\n       critical systems and recommendations were made to strengthen the contingency plans.\n       Unfortunately, the recommended corrective measures were not adopted and contingency plans were\n       not revised. During the ongoing audit ofNARA\'s compliance with the FISMA, we reviewed the\n       individual contingency plans developed for each information system and interviewed the Chief\n       Information Officer (CIO) and ChiefInformation Security Officer (CISO) regarding those plans.\n\n       We identified a significant risk to agency operations because adequate plans do not exist and\n       coordination among NARA Senior Managers has not been established to ensure IT systems critical\n       to NARA\'s mission can be recovered quickly and effectively following a service disruption or\n       disaster. Specifically, NARA Senior Management identified several systems in the NARA\n       Continuity of Operations Plan (COOP) as essential to their operations in the event of a regional or\n       national emergency. According to the CIO, she lacks the organizational posture and baseline\n       resources necessary to ensure that "critical" or "essential" systems will be available in the event of a\n       regional or national emergency.\n\n\n\n\n                                     National Archives and Records Administration\n\x0cWe bring this to your attention because the CIO has defined a lack of organizational authority and\ncapacity to establish policy for ensuring that business owner\'s have established COOPs to ensure\nagency operations can continue in the event IT systems are not available for long periods of time.\nWe believe it to be imperative that this issue be resolved promptly in order for NARA to develop,\ndocument, and implement plans that minimize the agency\'s risk and afford NARA the opportunity to\nrecover critical IT services following an emergency. This issue will be further addressed in the\nforthcoming FISMA audit report.\n\nWe suggest that you begin discussions with pertinent senior managers to clarify appropriate roles\nand responsibilities. We look forward to your response as to how you plan to address this condition.\nShould you have any questions, please contact me on (301) 837-1532.\n\n\n\n\nPaul Brachfeld\nInspector General\n\n\n\n\n                             National Archives and Records Administration\n\x0c'